obOpen Banking Lab
GlossarySTETBlogContact
Security

3D Secure

3D Secure (3DS) — card authentication protocol

Strong authentication protocol for online card payments. The current version, 3DS2, enables biometrics, frictionless payments and the application of SCA exemptions.

See also:SCAFlux SCADSP2PSR

Definition

3D Secure (3DS) authenticates the cardholder during an online payment. It is the screen your bank triggers — biometrics, notification or code — to confirm that it really is you.

Invented by Visa in 2001 and then adopted by Mastercard, Amex, JCB and Discover, the protocol was completely overhauled as 3DS2 (rolled out from 2019) to meet the Strong Customer Authentication (SCA) mandated by PSD2.

3DS1 vs 3DS2: the UX break

  • 3DS1 (2001 → 2022, deprecated): SMS OTP or static password, in an unappealing iframe. Poor UX, 20–30% checkout abandonment, and not SCA-compliant.
  • 3DS2 (since 2019): native authentication inside the banking app, exchange of 150+ contextual parameters between merchant and bank, and above all a frictionless flow that removes any interaction in 50–80% of cases. SCA-compliant.

Since October 2022, 3DS1 is officially end-of-life across the schemes: every new integration runs on 3DS2.

Frictionless flow vs challenge flow

The real contribution of 3DS2: not every payment triggers a visible SCA.

  • Frictionless — the bank's ACS (Access Control Server) approves automatically based on context: known device, usual merchant, consistent amount. Payment in under 2 seconds, with no interaction.
  • Challenge — the bank requires an explicit SCA (biometrics, push, OTP) that the customer actively completes.

The whole business challenge is to maximise frictionless without weakening security, hence the race to score risk on both the ACS and the merchant side.

The actors in 3DS

Five roles take part in the protocol:

  • Cardholder — the holder of the card, who pays.
  • Merchant — initiates the request through its PSP.
  • 3DS Server — technical component on the merchant/PSP side (Adyen, Stripe, Worldline) that orchestrates the exchange.
  • Directory Server (DS) — the scheme's central server (Visa, Mastercard, CB, Amex) that routes to the right bank.
  • ACS — on the issuing bank's side, decides whether to authorise frictionless or to challenge, and runs the SCA where required.

SCA exemptions via 3DS2

The SCA RTS provides for exemptions that the merchant can request in the message; the bank remains free to grant them:

  • Low value: transaction ≤ €30 (cumulative counter capped at €100 or 5 transactions without SCA).
  • TRA (Transaction Risk Analysis): available if the PSP shows a low fraud rate — sliding thresholds, <0.13% below €100, <0.06% below €250, <0.01% below €500.
  • Trusted beneficiary: the cardholder has added the merchant to their whitelist in their banking app.
  • Recurring transaction: amount and beneficiary identical to an already authenticated transaction.
  • MIT (Merchant Initiated Transaction): a later debit consented to (subscription, stored card). The first transaction is SCA, the following ones can do without it.

What 3DS does not do

  • Does not cover credit transfers (PISP): these fall under a different SCA flow, handled directly by the bank, outside the card scheme.
  • Does not guarantee the absence of fraud: a challenge completed under phishing remains valid for the bank — but the liability shift then protects the merchant.
  • Is not systematic: exemptions apply broadly and MIT falls outside the 3DS framework.
  • Is not mandatory outside Europe: technically global, but SCA is only mandatory in the EEA. In the United States, frictionless is almost systematic.

The liability shift: the benefit for the merchant

As soon as a payment goes through 3DS2 — challenge or frictionless — liability for fraud shifts from the merchant to the issuing bank: no more chargebacks on that ground. This is the major economic incentive to use 3DS, even when an SCA exemption would be possible.

In the PSD2 ecosystem

3DS2 is the enforcement arm of SCA for card payments, one of PSD2's two main authentication channels. The other groups the API-native SCA flows (redirect, decoupled, embedded) for credit transfers and aggregation.

Concrete examples

  • Frictionless in practice: you pay Decathlon from your usual phone, on your usual wifi, at 2 p.m., for €35. The ACS accepts automatically, you see nothing, the payment goes through in 1.5 seconds.
  • Challenge in practice: same merchant, but from a new device, at midnight, for €450. The ACS requests an SCA: push in the banking app, biometrics, return to the merchant page.
  • PSPs that optimise frictionless: Adyen, Stripe, Checkout.com, Worldline and Mollie invest in proprietary risk engines to maximise the frictionless/challenge ratio without losing security — a major differentiator in the market.
  • E-commerce case: a large French merchant reaches 70–85% of frictionless payments with 3DS2, versus ~30% under 3DS1, for a 5–15 point conversion gain.
  • Trusted beneficiary: on BNP Mes Comptes or Boursorama, adding Amazon or Spotify to your trusted merchants guarantees frictionless on subsequent payments.
  • Apple Pay / Google Pay: these wallets use a token (DPAN) that replaces the real card number, and SCA is performed locally via Face ID or Touch ID. On the bank's side, it is treated as an already validated SCA — a particularly smooth flow.
  • 3DS 2.3: rolled out gradually (2024-2026), it streamlines out-of-band auth, handles retries better and makes whitelists more dynamic.

Sources

Back to glossary